home *** CD-ROM | disk | FTP | other *** search
/ PC World 2005 December / PCWorld_2005-12_cd.bin / software / temacd / tiny / tpf-6[1].5.126.exe / Tiny Firewall 2005.msi / Sandbox.xml1 < prev    next >
Encoding:
Extensible Markup Language  |  2005-08-17  |  61.1 KB  |  529 lines
  1.  ■<?xml version="1.0" encoding="UTF-16" standalone="no"?>
  2. <SecDb xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="Sandbox.xsd">
  3.     <VersionInfo major="2"/>
  4.     <Module id="Sandbox"/>
  5.     <Globals>
  6.         <Property id="SBXChangeSecurityAL" type="int">1</Property>
  7.         <Property id="StartProcessAL" type="int">1</Property>
  8.         <Property id="EndProcessAL" type="int">1</Property>
  9.         <Property id="ChangeConditionAL" type="int">1</Property>
  10.         <Property id="ChangeProcConditionAL" type="int">1</Property>
  11.         <Property id="UnkAppStartDlg" type="int">0</Property>
  12.         <Property id="UnkSysAppStartDlg" type="int">0</Property>
  13.         <Property id="SafeToInjectDllGroup" type="str">SafeDlls</Property>
  14.     </Globals>
  15.     <Definitions>
  16.         <Object ot="File" id="Fixed drives">
  17.             <Item>%FixedDrives%</Item>
  18.         </Object>
  19.         <Object ot="File" id="Removable drives">
  20.             <Item>%RemovableDrives%</Item>
  21.         </Object>
  22.         <Object ot="File" id="CD-ROM files">
  23.             <Item>%CdRoms%</Item>
  24.         </Object>
  25.         <Object ot="File" id="Personal Contacts">
  26.             <Item>%UserSpecific%\Local AppData\\\Microsoft\Outlook</Item>
  27.             <Item>%UserSpecific%\AppData\\\Microsoft\Address Book</Item>
  28.         </Object>
  29.         <Object ot="File" id="System Config">
  30.             <Item>%SystemRoot%\System32\Config</Item>
  31.             <Item>%SystemRoot%\Repair</Item>
  32.         </Object>
  33.         <Object ot="File" id="Temporary Folders">
  34.             <Item>%UserSpecific%\Local Settings\\\Temp</Item>
  35.             <Item>%UserSpecific%\Local Settings\\\Temporary Internet Files</Item>
  36.             <Item>%SystemRoot%\Temp</Item>
  37.             <Item>%SystemRoot%\Sti_Trace.log</Item>
  38.         </Object>
  39.         <Object ot="File" id="All Exes in Program Files and subdirs">
  40.             <Item>%ProgramFiles%\*.exe</Item>
  41.             <Item>%ProgramFiles%\?*\*.exe</Item>
  42.             <Item>%ProgramFiles%\?*\?*\*.exe</Item>
  43.             <Item>%ProgramFiles%\?*\?*\?*\*.exe</Item>
  44.             <Item>%ProgramFiles%\?*\?*\?*\?*\*.exe</Item>
  45.             <Item>%ProgramFiles%\?*\?*\?*\?*\?*\*.exe</Item>
  46.         </Object>
  47.         <Object ot="File" id="ActiveX Cache">
  48.             <Item>%DirOnKeyEnumValue%\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ActiveX Cache</Item>
  49.         </Object>
  50.         <Object ot="File" id="Windows Directory">
  51.             <Item>%SystemRoot%</Item>
  52.         </Object>
  53.         <Object ot="File" id="Startup Folder">
  54.             <Item>%UserSpecific%\Startup</Item>
  55.         </Object>
  56.         <Object ot="File" id="Tiny Firewall Files">
  57.             <Item>%DirOnKeyValue%\HKLM\Software\Tiny Software\Tiny Firewall\\InstallDir</Item>
  58.             <Item>%ProgramFiles%\Common Files\PFShared</Item>
  59.         </Object>
  60.         <Object ot="File" id="TF Quarantine Folder">
  61.             <Item>%DirOnKeyValue%\HKLM\Software\Tiny Software\Tiny Firewall\\InstallDir\\\Quarantine</Item>
  62.         </Object>
  63.         <Object ot="File" id="Hidden Protected Files">
  64.         </Object>
  65.         <Object ot="File" id="ReadOnly Files">
  66.         </Object>
  67.         <Object ot="Registry" id="RunKeys">
  68.             <Item>HKLM\Software\Microsoft\Windows\CurrentVersion\Run</Item>
  69.             <Item>HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce</Item>
  70.             <Item>HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</Item>
  71.             <Item>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</Item>
  72.             <Item>HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce</Item>
  73.             <Item>HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows</Item>
  74.             <Item>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows</Item>
  75.             <Item>HKLM\Software\Microsoft\Active Setup\Installed Components</Item>
  76.         </Object>
  77.         <Object ot="Registry" id="ExtensionAssociation">
  78.             <Item>HKCR\exefile</Item>
  79.             <Item>HKCR\.exe</Item>
  80.             <Item>HKCR\comfile</Item>
  81.             <Item>HKCR\.com</Item>
  82.             <Item>HKCR\batfile</Item>
  83.             <Item>HKCR\.bat</Item>
  84.             <Item>HKCR\cmdfile</Item>
  85.             <Item>HKCR\.cmd</Item>
  86.             <Item>HKCR\vbsfile</Item>
  87.             <Item>HKCR\.vbs</Item>
  88.             <Item>HKCR\vbefile</Item>
  89.             <Item>HKCR\.vbe</Item>
  90.             <Item>HKCR\jsefile</Item>
  91.             <Item>HKCR\.jse</Item>
  92.             <Item>HKCR\wsffile</Item>
  93.             <Item>HKCR\.wsf</Item>
  94.             <Item>HKCR\wshfile</Item>
  95.             <Item>HKCR\.wsh</Item>
  96.             <Item>HKCR\scrfile</Item>
  97.             <Item>HKCR\.scr</Item>
  98.             <Item>HKCR\piffile</Item>
  99.             <Item>HKCR\.pif</Item>
  100.             <Item>HKCR\regfile</Item>
  101.             <Item>HKCR\.reg</Item>
  102.         </Object>
  103.         <Object ot="Registry" id="DebugKeys">
  104.             <Item>HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</Item>
  105.             <Item>HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</Item>
  106.         </Object>
  107.         <Object ot="Registry" id="PolicyKeys">
  108.             <Item>HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System</Item>
  109.             <Item>HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System</Item>
  110.         </Object>
  111.         <Object ot="Registry" id="DriverLoading">
  112.             <Item>HKLM\System\CurrentControlSet\Control\GroupOrderList</Item>
  113.             <Item>HKLM\System\CurrentControlSet\Control\ServiceGroupOrder</Item>
  114.         </Object>
  115.         <Object ot="Registry" id="Internet Explorer Keys to store Bars and Search">
  116.             <Item>HKLM\Software\Microsoft\Internet Explorer\Explorer Bars</Item>
  117.             <Item>HKLM\Software\Microsoft\Internet Explorer\Search</Item>
  118.         </Object>
  119.         <Object ot="Registry" id="Tiny Firewall key">
  120.             <Item>HKLM\Software\Tiny Software\Tiny Firewall</Item>
  121.         </Object>
  122.         <Object ot="COM" id="TF Configuration COM Service (UmxCfg)">
  123.             <Item>{5EBFD120-E4FE-46C5-8E21-05D903BAAEEC}</Item>
  124.         </Object>
  125.         <Object ot="COM" id="TF Policy Manager COM Service (UmxPol)">
  126.             <Item>{4C89C3FD-5F94-4678-BBB5-F64759C3C54A}</Item>
  127.         </Object>
  128.         <Object ot="Service" id="TF Services">
  129.             <Item>UmxAgent</Item>
  130.             <Item>UmxCfg</Item>
  131.             <Item>UmxFwHlp</Item>
  132.             <Item>UmxLU</Item>
  133.             <Item>UmxPol</Item>
  134.             <Item>UmxUTA</Item>
  135.         </Object>
  136.     </Definitions>
  137.     <ExceptionList>
  138.         <AppItem app="*" activeGuardsMask="File|Registry|Spawning|Service|Device|COM|SystemPrivilege|DllLoading" priority="high"/>
  139.         <AppItem app="*" activeGuardsMask="Spawning|Device" priority="high" account="system"/>
  140.         <AppItem app_id="TrustedServices" activeGuardsMask="Spawning|Device" priority="high" account="system"/>
  141.     </ExceptionList>
  142.     <RuleList>
  143.         <Rule id="FS1" priority="high" preferred="true" ot="File" obj_id="Hidden Protected Files" app_id="AllowHiddenFilesApps" desc="Allows Hidden Files for Allowed Applications">
  144.             <AccessDesc at="FileRead" ar="Allow" al="Ignore"/>
  145.             <AccessDesc at="FileCreate" ar="Allow" al="Ignore"/>
  146.             <AccessDesc at="FileWrite" ar="Allow" al="Ignore"/>
  147.             <AccessDesc at="FileDelete" ar="Allow" al="Ignore"/>
  148.         </Rule>
  149.         <Rule id="FS2" priority="high" preferred="true" ot="File" obj_id="ReadOnly Files" app_id="AllowReadOnlyFilesApps" desc="Allows Read Only Files for Allowed Applications">
  150.             <AccessDesc at="FileRead" ar="Allow" al="Ignore"/>
  151.             <AccessDesc at="FileCreate" ar="Allow" al="Ignore"/>
  152.             <AccessDesc at="FileWrite" ar="Allow" al="Ignore"/>
  153.             <AccessDesc at="FileDelete" ar="Allow" al="Ignore"/>
  154.         </Rule>
  155.         <Rule id="FS4" priority="high" preferred="true" ot="File" obj_id="*" app_id="Trusted" desc="Unlimited access to all files for Trusted group"/>
  156.         <Rule id="FS5" priority="high" preferred="true" ot="File" obj_id="Hidden Protected Files" app="*" account="both" desc="Hides Hidden Files for All Applications">
  157.             <AccessDesc at="FileRead" ar="Prevent" al="Ignore"/>
  158.             <AccessDesc at="FileCreate" ar="Prevent" al="Monitor"/>
  159.             <AccessDesc at="FileWrite" ar="Prevent" al="Monitor"/>
  160.             <AccessDesc at="FileDelete" ar="Prevent" al="Monitor"/>
  161.         </Rule>
  162.         <Rule id="FS6" priority="high" preferred="true" ot="File" obj_id="ReadOnly Files" app="*" account="both" desc="Read Only Files for All Applications">
  163.             <AccessDesc at="FileRead" ar="Allow" al="Ignore"/>
  164.             <AccessDesc at="FileCreate" ar="Prevent" al="Monitor"/>
  165.             <AccessDesc at="FileWrite" ar="Prevent" al="Monitor"/>
  166.             <AccessDesc at="FileDelete" ar="Prevent" al="Monitor"/>
  167.         </Rule>
  168.         <Rule id="FS7" priority="high" preferred="true" ot="File" obj_id="TF Quarantine Folder" app="*" desc="Prevents change access to Quarantine folder">
  169.             <AccessDesc at="FileWrite" ar="Prevent" al="Monitor"/>
  170.             <AccessDesc at="FileDelete" ar="Prevent" al="Monitor"/>
  171.         </Rule>
  172.         <Rule id="FS8" priority="low" ot="File" obj_id="Personal Contacts" app="msimn.exe" desc="Allows access to Address Book and Outlook.pst files for Outlook Express">
  173.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  174.         </Rule>
  175.         <Rule id="FS9" priority="low" ot="File" obj_id="Personal Contacts" app="outlook.exe" desc="Allows access to Address Book and Outlook.pst files for Outlook">
  176.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  177.         </Rule>
  178.         <Rule id="FS10" priority="low" ot="File" obj_id="ActiveX Cache" app="*" desc="Allows access to ActiveX cache">
  179.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  180.         </Rule>
  181.         <Rule id="FS11" priority="low" ot="File" obj_id="All Exes in Program Files and subdirs" app="*" disabled="1" desc="Asks when attempt to modify .exe file in Program Files folder">
  182.             <AccessDesc at="FileWrite" ar="Prevent" al="Monitor"/>
  183.             <AccessDesc at="FileDelete" ar="Prevent" al="Monitor"/>
  184.         </Rule>
  185.         <Rule id="FS12" priority="low" ot="File" obj_id="Personal Contacts" app="*" desc="Prevents access to Address Book and Outlook.pst files">
  186.             <AccessDesc at="*" ar="Prevent" al="Monitor"/>
  187.         </Rule>
  188.         <Rule id="FS13" priority="low" ot="File" obj_id="Startup Folder" app="*" desc="Asks when attempt to add or modify file in the Startup folder (to avoid autostart of unknown apps)">
  189.             <AccessDesc at="FileWrite" ar="Prevent" al="Monitor"/>
  190.             <AccessDesc at="FileCreate" ar="Prevent" al="Monitor"/>
  191.             <AccessDesc at="FileDelete" ar="Prevent" al="Monitor"/>
  192.         </Rule>
  193.         <Rule id="FS14" priority="low" ot="File" obj_id="System Config" app="*" desc="Prevents access to Repair (contains hashed passwords) and Config (contains registry hives) folders">
  194.             <AccessDesc at="*" ar="Prevent" al="Monitor"/>
  195.         </Rule>
  196.         <Rule id="FS15" priority="low" ot="File" obj_id="Temporary Folders" app="*" desc="Allows access to Temporary Folders">
  197.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  198.         </Rule>
  199.         <Rule id="FS16" priority="low" ot="File" obj_id="Tiny Firewall Files" app="*" desc="Prevents changing Tiny Firewall files">
  200.             <AccessDesc at="FileWrite" ar="Prevent" al="Monitor"/>
  201.             <AccessDesc at="FileCreate" ar="Prevent" al="Monitor"/>
  202.             <AccessDesc at="FileDelete" ar="Prevent" al="Monitor"/>
  203.         </Rule>
  204.         <Rule id="FS17" priority="low" ot="File" obj_id="Windows Directory" app="*" disabled="1" desc="Asks when attempt to change files in Windows dir and its subdirs">
  205.             <AccessDesc at="FileWrite" ar="Prevent" al="Monitor"/>
  206.             <AccessDesc at="FileCreate" ar="Prevent" al="Monitor"/>
  207.             <AccessDesc at="FileDelete" ar="Prevent" al="Monitor"/>
  208.         </Rule>
  209.         <Rule id="FS18" priority="low" ot="File" obj_id="*" app="*" desc="Allows full access to all other files"/>
  210.         <Rule id="SS2" priority="low" ot="Service" obj_id="*" app_id="Trusted" desc="Allows installing, removing or controlling any service for Trusted group"/>
  211.         <Rule id="SS3" priority="low" ot="Service" obj_id="*" app="*" disabled="1" desc="Asks when about to stop, install or remove service">
  212.             <AccessDesc at="ServiceRemove" ar="Prevent" al="Monitor"/>
  213.             <AccessDesc at="ServiceInstall" ar="Prevent" al="Monitor"/>
  214.             <AccessDesc at="ServiceStop" ar="Prevent" al="Monitor"/>
  215.         </Rule>
  216.         <Rule id="RS2" priority="high" preferred="true" ot="Registry" obj_id="*" app_id="Trusted" desc="Unlimited access to all keys for Trusted group"/>
  217.         <Rule id="RS3" priority="low" ot="Registry" app="*" desc="Monitors delete access in HKLM\Software key">
  218.             <Object>HKLM\Software</Object>
  219.             <AccessDesc at="KeyDelete" ar="Allow" al="Monitor"/>
  220.         </Rule>
  221.         <Rule id="RS4" priority="low" ot="Registry" app="*" disabled="1" desc="Asks when attempt to add or change content of Windows NT key (lots of system cfg stored here)">
  222.             <Object>HKLM\Software\Microsoft\Windows NT</Object>
  223.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  224.             <AccessDesc at="KeyCreate" ar="Prevent" al="Monitor"/>
  225.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  226.         </Rule>
  227.         <Rule id="RS5" priority="low" ot="Registry" app="*" desc="Asks when attempt to change content of SvcHost key (could host code running under system account)">
  228.             <Object>HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost</Object>
  229.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  230.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  231.         </Rule>
  232.         <Rule id="RS6" priority="low" ot="Registry" app="*" desc="Asks when attempt to add or change content of Winlogon key (a dll can be added here to have complete control over user login)">
  233.             <Object>HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Object>
  234.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  235.             <AccessDesc at="KeyCreate" ar="Prevent" al="Monitor"/>
  236.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  237.         </Rule>
  238.         <Rule id="RS7" priority="low" ot="Registry" app="*" desc="Asks when attempt to write into explorer\Advanced key (can possibly autostart some processes)">
  239.             <Object>HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced</Object>
  240.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  241.         </Rule>
  242.         <Rule id="RS8" priority="low" ot="Registry" app="*" desc="Monitors create and delete access to HKLM\System key">
  243.             <Object>HKLM\System</Object>
  244.             <AccessDesc at="KeyCreate" ar="Allow" al="Monitor"/>
  245.             <AccessDesc at="KeyDelete" ar="Allow" al="Monitor"/>
  246.         </Rule>
  247.         <Rule id="RS9" priority="low" ot="Registry" app="*" desc="Asks when attempt to change content of Session Manager key (changing system settings such as DOS Devices, Environment and Subsystems)">
  248.             <Object>HKLM\System\CurrentControlSet\Control\Session Manager</Object>
  249.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  250.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  251.         </Rule>
  252.         <Rule id="RS10" priority="low" ot="Registry" app="*" desc="Asks when attempt to write into WOW key (16-bit environment cfg)">
  253.             <Object>HKLM\System\CurrentControlSet\Control\WOW</Object>
  254.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  255.         </Rule>
  256.         <Rule id="RS11" priority="low" ot="Registry" app="*" desc="Asks when attempt to change content of hivelist key (contains location of registry data between boots)">
  257.             <Object>HKLM\System\CurrentControlSet\Control\hivelist</Object>
  258.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  259.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  260.         </Rule>
  261.         <Rule id="RS12" priority="low" ot="Registry" app="*" desc="Asks when attempt to delete content of Hardware Profiles key">
  262.             <Object>HKLM\System\CurrentControlSet\Hardware Profiles</Object>
  263.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  264.         </Rule>
  265.         <Rule id="RS13" priority="low" ot="Registry" app="*" disabled="1" desc="Asks when attempt to add or change content of Services key (contains drivers and services to run under system account)">
  266.             <Object>HKLM\System\CurrentControlSet\Services</Object>
  267.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  268.             <AccessDesc at="KeyCreate" ar="Prevent" al="Monitor"/>
  269.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  270.         </Rule>
  271.         <Rule id="RS14" priority="low" ot="Registry" obj_id="DebugKeys" app="*" desc="Asks when attempt to change content of Debug keys (when target app starts, inserted app autostarts and has full control over the target app)">
  272.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  273.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  274.         </Rule>
  275.         <Rule id="RS15" priority="low" ot="Registry" obj_id="DriverLoading" app="*"  desc="Asks when attempt to change content of Driver Loading key (stores loading order of drivers and services)">
  276.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  277.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  278.         </Rule>
  279.         <Rule id="RS16" priority="low" ot="Registry" obj_id="ExtensionAssociation" app="*" desc="Asks when attempt to add or change content of Extension Association keys (click on any .bat or .exe can start inserted app instead)">
  280.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  281.             <AccessDesc at="KeyCreate" ar="Prevent" al="Monitor"/>
  282.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  283.         </Rule>
  284.         <Rule id="RS17" priority="low" ot="Registry" obj_id="Internet Explorer Keys to store Bars and Search" app="*" desc="Asks when attempt to change IE Search and Explorer Bars keys (annoying unwanted changing of IE search engine)">
  285.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  286.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  287.         </Rule>
  288.         <Rule id="RS18" priority="low" ot="Registry" obj_id="Tiny Firewall key" app="*" desc="Asks when attempt to change content of Tiny Firewall key">
  289.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  290.             <AccessDesc at="KeyCreate" ar="Prevent" al="Monitor"/>
  291.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  292.         </Rule>
  293.         <Rule id="RS19" priority="low" ot="Registry" obj_id="PolicyKeys" app="*" desc="Asks when attempt to change content of Policy keys (can e.g. disable regedit.exe to run)">
  294.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  295.             <AccessDesc at="KeyDelete" ar="Prevent" al="Monitor"/>
  296.         </Rule>
  297.         <Rule id="RS20" priority="low" ot="Registry" obj_id="RunKeys" disabled="1" app="*" desc="Asks when attempt to add or change content of Run keys (can autostart any application)">
  298.             <AccessDesc at="KeyWrite" ar="Prevent" al="Monitor"/>
  299.             <AccessDesc at="KeyCreate" ar="Prevent" al="Monitor"/>
  300.             <AccessDesc at="KeyDelete" ar="Allow" al="Monitor"/>
  301.         </Rule>
  302.         <Rule id="RS21" priority="low" ot="Registry" obj_id="*" app="*" desc="Allows full access to all other keys">
  303.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  304.         </Rule>
  305.         <Rule id="DS1" priority="low" ot="Device" app_id="AllowRawIPApps" desc="Allows access to Ndisuio driver for AllowRawIPApps group">
  306.             <Object>Ndisuio\DevN\*\</Object>
  307.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  308.         </Rule>
  309.         <Rule id="DS2" priority="low" ot="Device" app_id="AllowRawIPApps" desc="Allows access to IPMULTICAST device for AllowRawIPApps group">
  310.             <Object>Tcpip\DevN\*\IPMULTICAST</Object>
  311.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  312.         </Rule>
  313.         <Rule id="DS3" priority="low" ot="Device" app_id="AllowRawIPApps" desc="Allows access to IP device for AllowRawIPApps group">
  314.             <Object>Tcpip\DevN\*\Ip</Object>
  315.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  316.         </Rule>
  317.         <Rule id="DS4" priority="low" ot="Device" app_id="AllowRawIPApps" desc="Allows access to RawIp device for AllowRawIPApps group">
  318.             <Object>Tcpip\DevN\*\RawIp</Object>
  319.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  320.         </Rule>
  321.         <Rule id="DS5" priority="low" ot="Device" app_id="Trusted" desc="Allows dangerous IOCTL to all devices for Trusted group">
  322.             <Object>DangerousIoctl\*</Object>
  323.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  324.         </Rule>
  325.         <Rule id="DS6" priority="low" ot="Device" app_id="Trusted" desc="Allows access to Ndisuio driver for Trusted group">
  326.             <Object>Ndisuio\DevN\*\</Object>
  327.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  328.         </Rule>
  329.         <Rule id="DS7" priority="low" ot="Device" app_id="Trusted" desc="Allows access to IPMULTICAST device for Trusted group">
  330.             <Object>Tcpip\DevN\*\IPMULTICAST</Object>
  331.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  332.         </Rule>
  333.         <Rule id="DS8" priority="low" ot="Device" app_id="Trusted" desc="Allows access to IP device for Trusted group">
  334.             <Object>Tcpip\DevN\*\Ip</Object>
  335.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  336.         </Rule>
  337.         <Rule id="DS9" priority="low" ot="Device" app_id="Trusted" desc="Allows access to RawIp device for Trusted group">
  338.             <Object>Tcpip\DevN\*\RawIp</Object>
  339.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  340.         </Rule>
  341.         <Rule id="DS10" priority="low" ot="Device" app="*" desc="Allows access to CD-ROM and DVD-ROM drives">
  342.             <Object>*\Link\CDROM\*</Object>
  343.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  344.         </Rule>
  345.         <Rule id="DS11" priority="low" ot="Device" app="*" account="system" desc="Allows access to CD-ROM and DVD-ROM drives (system)">
  346.             <Object>*\Link\CDROM\*</Object>
  347.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  348.         </Rule>
  349.         <Rule id="DS12" priority="low" ot="Device" app="*" desc="Allows access to Floppy Disks">
  350.             <Object>*\Link\FloppyDisk\*</Object>
  351.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  352.         </Rule>
  353.         <Rule id="DS13" priority="low" ot="Device" app="*" account="system" desc="Allows access to Floppy Disks (system)">
  354.             <Object>*\Link\FloppyDisk\*</Object>
  355.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  356.         </Rule>
  357.         <Rule id="DS14" priority="low" ot="Device" app="*" desc="Allows access to Infrared">
  358.             <Object>*\Link\Infrared\*</Object>
  359.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  360.         </Rule>
  361.         <Rule id="DS15" priority="low" ot="Device" app="*" account="system" desc="Allows access to Infrared (system)">
  362.             <Object>*\Link\Infrared\*</Object>
  363.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  364.         </Rule>
  365.         <Rule id="DS16" priority="low" ot="Device" app="*" desc="Allows access to Modems">
  366.             <Object>*\Link\Modem\*</Object>
  367.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  368.         </Rule>
  369.         <Rule id="DS17" priority="low" ot="Device" app="*" account="system" desc="Allows access to Modems (system)">
  370.             <Object>*\Link\Modem\*</Object>
  371.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  372.         </Rule>
  373.         <Rule id="DS18" priority="low" ot="Device" app="*" desc="Allows access to Serial and Parallel ports">
  374.             <Object>*\Link\Ports\*</Object>
  375.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  376.         </Rule>
  377.         <Rule id="DS19" priority="low" ot="Device" app="*" account="system" desc="Allows access to Serial and Parallel ports (system)">
  378.             <Object>*\Link\Ports\*</Object>
  379.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  380.         </Rule>
  381.         <Rule id="DS20" priority="low" ot="Device" app="*" desc="Allows dangerous IOCTL access to all devices">
  382.             <Object>DangerousIoctl\*</Object>
  383.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  384.         </Rule>
  385.         <Rule id="DS21" priority="low" ot="Device" app="*" desc="Allows access to FireWire Disks">
  386.             <Object>Disk\Link\*\Sbp2*</Object>
  387.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  388.         </Rule>
  389.         <Rule id="DS31" priority="low" ot="Device" app="*" account="system" desc="Allows access to FireWire Disks (system)">
  390.             <Object>Disk\Link\*\Sbp2*</Object>
  391.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  392.         </Rule>
  393.         <Rule id="DS22" priority="low" ot="Device" app="*" desc="Allows access to USB Disks">
  394.             <Object>Disk\Link\*\usbstor*</Object>
  395.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  396.         </Rule>
  397.         <Rule id="DS32" priority="low" ot="Device" app="*" account="system" desc="Allows access to USB Disks (system)">
  398.             <Object>Disk\Link\*\usbstor*</Object>
  399.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  400.         </Rule>
  401.         <Rule id="DS23" priority="low" ot="Device" app="*" desc="Allows access to Ndisuio driver">
  402.             <Object>Ndisuio\DevN\*\</Object>
  403.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  404.         </Rule>
  405.         <Rule id="DS24" priority="low" ot="Device" app="*" desc="Allows access to IPMULTICAST device">
  406.             <Object>Tcpip\DevN\*\IPMULTICAST</Object>
  407.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  408.         </Rule>
  409.         <Rule id="DS25" priority="low" ot="Device" app="*" desc="Allows access to Ip device">
  410.             <Object>Tcpip\DevN\*\Ip</Object>
  411.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  412.         </Rule>
  413.         <Rule id="DS26" priority="low" ot="Device" app="*" desc="Allows access to RawIp device">
  414.             <Object>Tcpip\DevN\*\RawIp</Object>
  415.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  416.         </Rule>
  417.         <Rule id="DS27" priority="low" ot="Device" app="*" desc="Allows access to irda driver (Infrared)">
  418.             <Object>irda\DevN\*\</Object>
  419.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  420.         </Rule>
  421.         <Rule id="DS28" priority="low" ot="Device" app="*" account="system" desc="Allows access to irda driver (Infrared - system)">
  422.             <Object>irda\DevN\*\</Object>
  423.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  424.         </Rule>
  425.         <Rule id="DS29" priority="low" ot="Device" obj_id="*" app="*" desc="Allows access to all devices"/>
  426.         <Rule id="DS30" priority="low" ot="Device" obj_id="*" app="*" account="system" desc="Allows access to all devices (system)"/>
  427.         <Rule id="CS2" priority="low" ot="COM" obj_id="TF Configuration COM Service (UmxCfg)" app_id="Trusted" desc="Allows access to TF UmxCfg COM object for Trusted group">
  428.             <AccessDesc at="COMCreateInProc" ar="Allow" al="Ignore"/>
  429.             <AccessDesc at="COMCreateLocSrv" ar="Allow" al="Ignore"/>
  430.             <AccessDesc at="COMCreateRemSrv" ar="Allow" al="Ignore"/>
  431.         </Rule>
  432.         <Rule id="CS3" priority="low" ot="COM" obj_id="TF Policy Manager COM Service (UmxPol)" app_id="Trusted" desc="Allows access to TF UmxPol COM object for Trusted group">
  433.             <AccessDesc at="COMCreateInProc" ar="Allow" al="Ignore"/>
  434.             <AccessDesc at="COMCreateLocSrv" ar="Allow" al="Ignore"/>
  435.             <AccessDesc at="COMCreateRemSrv" ar="Allow" al="Ignore"/>
  436.         </Rule>
  437.         <Rule id="CS4" priority="low" ot="COM" obj_id="*" app_id="Trusted" desc="Allows access to all COM objects for Trusted group"/>
  438.         <Rule id="CS5" priority="low" ot="COM" obj_id="TF Configuration COM Service (UmxCfg)" app="*" desc="Prevents access to TF UmxCfg COM object">
  439.             <AccessDesc at="COMCreateInProc" ar="Allow" al="Ignore"/>
  440.             <AccessDesc at="COMCreateLocSrv" ar="Prevent" al="Monitor"/>
  441.             <AccessDesc at="COMCreateRemSrv" ar="Prevent" al="Monitor"/>
  442.         </Rule>
  443.         <Rule id="CS6" priority="low" ot="COM" obj_id="TF Policy Manager COM Service (UmxPol)" app="*" desc="Prevents access to TF UmxPol COM object">
  444.             <AccessDesc at="COMCreateInProc" ar="Allow" al="Ignore"/>
  445.             <AccessDesc at="COMCreateLocSrv" ar="Prevent" al="Monitor"/>
  446.             <AccessDesc at="COMCreateRemSrv" ar="Prevent" al="Monitor"/>
  447.         </Rule>
  448.         <Rule id="CS7" priority="low" ot="COM" obj_id="*" app="*" desc="Monitors access to other applications via COM technology">
  449.             <AccessDesc at="COMCreateLocSrv" ar="Allow" al="Monitor"/>
  450.             <AccessDesc at="COMCreateRemSrv" ar="Allow" al="Monitor"/>
  451.         </Rule>
  452.         <Rule id="YS1" priority="low" ot="SystemPrivilege" obj_id="*" app="iexplore.exe" desc="Prevents IE to inject code and acquire system privileges">
  453.             <AccessDesc at="InjectCode" ar="Prevent" al="Alert"/>
  454.             <AccessDesc at="AcquireSysPriv" ar="Prevent" al="Alert"/>
  455.         </Rule>
  456.         <Rule id="YS3" priority="low" ot="SystemPrivilege" obj_id="*" app_id="Trusted" desc="Unlimited System Privilege access for Trusted group"/>
  457.         <Rule id="YS4" priority="low" ot="SystemPrivilege" obj_id="*" app="*" desc="Prevents inject code, terminate process and acquire system privileges">
  458.             <AccessDesc at="InjectCode" ar="Prevent" al="Alert"/>
  459.             <AccessDesc at="AcquireSysPriv" ar="Prevent" al="Alert"/>
  460.             <AccessDesc at="ForceProcThreadTerm" ar="Prevent" al="Alert"/>
  461.         </Rule>
  462.         <Rule id="PS1" priority="high" preferred="true" ot="Spawning" obj_id="BlackList" app="*" account="both" desc="Prevents applications from BlackList to run">
  463.             <AccessDesc at="SpawnProc" ar="Prevent" al="Monitor"/>
  464.         </Rule>
  465.         <Rule id="PS2" priority="high" preferred="true" ot="Spawning" obj_id="*" app_id="Installers" account="both" desc="Allows Installer group applicatations to start other applications and run them in Installers apps security context">
  466.             <AccessDesc at="SpawnProcInOwnSbx" ar="Prevent" al="Ignore"/>
  467.         </Rule>
  468.         <Rule id="PS4" priority="high" preferred="true" ot="Spawning" obj_id="*" app_id="Trusted" desc="Trusted apps can start any application"/>
  469.         <Rule id="PS5" priority="low" ot="Spawning" app="*" disabled="1" desc="Prevents running MS-DOS applications">
  470.             <Object>MS-DOS</Object>
  471.             <AccessDesc at="SpawnProc" ar="Prevent" al="Monitor"/>
  472.             <AccessDesc at="SpawnProcInOwnSbx" ar="Allow" al="Ignore"/>
  473.         </Rule>
  474.         <Rule id="PS6" priority="low" ot="Spawning" app="*" disabled="1" desc="Asks when at.exe is to be spawned">
  475.             <Object>at.exe</Object>
  476.             <AccessDesc at="SpawnProc" ar="Prevent" al="Monitor"/>
  477.             <AccessDesc at="SpawnProcInOwnSbx" ar="Allow" al="Monitor"/>
  478.         </Rule>
  479.         <Rule id="PS7" priority="low" ot="Spawning" app="*" disabled="1" desc="Asks when cmd.exe is to be spawned">
  480.             <Object>cmd.exe</Object>
  481.             <AccessDesc at="SpawnProc" ar="Prevent" al="Monitor"/>
  482.             <AccessDesc at="SpawnProcInOwnSbx" ar="Allow" al="Monitor"/>
  483.         </Rule>
  484.         <Rule id="PS8" priority="low" ot="Spawning" app="*" desc="Allows other applications to start cscript.exe but applies their security context to it">
  485.             <Object>cscript.exe</Object>
  486.             <AccessDesc at="SpawnProc" ar="Allow" al="Ignore"/>
  487.             <AccessDesc at="SpawnProcInOwnSbx" ar="Prevent" al="Monitor"/>
  488.         </Rule>
  489.         <Rule id="PS9" priority="low" ot="Spawning" app="*" account="both" disabled="1" desc="Prevents spawning of dllhost.exe">
  490.             <Object>dllhost.exe</Object>
  491.             <AccessDesc at="SpawnProc" ar="Prevent" al="Monitor"/>
  492.             <AccessDesc at="SpawnProcInOwnSbx" ar="Allow" al="Ignore"/>
  493.         </Rule>
  494.         <Rule id="PS10" priority="low" ot="Spawning" app="*" disabled="1" desc="Asks when explorer.exe is to be spawned">
  495.             <Object>explorer.exe</Object>
  496.             <AccessDesc at="SpawnProc" ar="Prevent" al="Monitor"/>
  497.             <AccessDesc at="SpawnProcInOwnSbx" ar="Allow" al="Monitor"/>
  498.         </Rule>
  499.         <Rule id="PS11" priority="low" ot="Spawning" app="*" disabled="1" desc="Asks when net.exe is to be spawned">
  500.             <Object>net.exe</Object>
  501.             <AccessDesc at="SpawnProc" ar="Prevent" al="Monitor"/>
  502.             <AccessDesc at="SpawnProcInOwnSbx" ar="Allow" al="Monitor"/>
  503.         </Rule>
  504.         <Rule id="PS12" priority="low" ot="Spawning" app="*" desc="Allows other applications to start net1.exe but applies their security context to it">
  505.             <Object>net1.exe</Object>
  506.             <AccessDesc at="SpawnProc" ar="Allow" al="Ignore"/>
  507.             <AccessDesc at="SpawnProcInOwnSbx" ar="Prevent" al="Monitor"/>
  508.         </Rule>
  509.         <Rule id="PS13" priority="low" ot="Spawning" app="*" desc="Allows other applications to start rundll32.exe but applies their security context to it">
  510.             <Object>rundll32.exe</Object>
  511.             <AccessDesc at="SpawnProc" ar="Allow" al="Ignore"/>
  512.             <AccessDesc at="SpawnProcInOwnSbx" ar="Prevent" al="Monitor"/>
  513.         </Rule>
  514.         <Rule id="PS14" priority="low" ot="Spawning" app="*" desc="Allows other applications to start wscript.exe but applies their security context to it">
  515.             <Object>wscript.exe</Object>
  516.             <AccessDesc at="SpawnProc" ar="Allow" al="Ignore"/>
  517.             <AccessDesc at="SpawnProcInOwnSbx" ar="Prevent" al="Monitor"/>
  518.         </Rule>
  519.         <Rule id="PS15" priority="low" ot="Spawning" obj_id="Trusted" app="*" desc="Allows starting of Trusted apps from other applications"/>
  520.         <Rule id="PS16" priority="low" ot="Spawning" obj_id="TrustedServices" app="*" desc="Allows starting of TrustedServices apps from other applications"/>
  521.         <Rule id="PS17" priority="low" ot="Spawning" obj_id="*" app="*" desc="Asks when other applications are to be spawned">
  522.             <AccessDesc at="SpawnProc" ar="Allow" al="Monitor"/>
  523.             <AccessDesc at="SpawnProcInOwnSbx" ar="Allow" al="Monitor"/>
  524.         </Rule>
  525.         <Rule id="LS2" priority="low" ot="DllLoading" obj_id="*" app="*" desc="Allow to load all dlls from all applications">
  526.             <AccessDesc at="*" ar="Allow" al="Ignore"/>
  527.         </Rule>
  528.     </RuleList>
  529. </SecDb>